-
Notifications
You must be signed in to change notification settings - Fork 0
102 lines (93 loc) · 4.12 KB
/
release.yml
File metadata and controls
102 lines (93 loc) · 4.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: Release
on:
push:
tags: ['v*']
permissions:
contents: write
jobs:
build:
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 24
cache: npm
- name: Determine update channel
id: release-channel
shell: bash
run: |
if [[ "$GITHUB_REF_NAME" == *-* ]]; then
echo "channel=beta" >> "$GITHUB_OUTPUT"
echo "ep_pre_release=true" >> "$GITHUB_OUTPUT"
else
echo "channel=latest" >> "$GITHUB_OUTPUT"
echo "ep_pre_release=false" >> "$GITHUB_OUTPUT"
fi
- name: Verify tag matches package versions
shell: bash
run: |
expected="${GITHUB_REF_NAME#v}"
for file in package.json packages/core/package.json packages/cli/package.json packages/mcp/package.json packages/app/package.json; do
actual="$(node -p "require('./$file').version")"
if [ "$actual" != "$expected" ]; then
echo "::error::$file version $actual does not match tag $GITHUB_REF_NAME"
exit 1
fi
done
# Hard-fail up front if any required signing/notarization credential
# is missing. Per spec #hard-constraints (§4.3): "The packaging
# pipeline refuses to produce a release build when signing/
# notarization credentials are missing (hard failure, not a silent
# skip)." Naming the specific missing variable makes misconfiguration
# diagnosable from the workflow log without spelunking.
- name: Verify signing credentials
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
CSC_LINK: ${{ secrets.CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
run: |
missing=0
for name in APPLE_ID APPLE_APP_SPECIFIC_PASSWORD APPLE_TEAM_ID CSC_LINK CSC_KEY_PASSWORD; do
if [ -z "${!name}" ]; then
echo "::error::missing required env var: $name"
missing=1
fi
done
if [ "$missing" -ne 0 ]; then
echo "::error::Release build aborted — signing/notarization credentials are incomplete."
echo "::error::Configure these as GitHub repo secrets (see packages/app/README.md)."
exit 1
fi
echo "All required credentials present."
- run: npm ci
- run: npm run build
- run: npm run build -w packages/app
# Pre-flight ABI check. Per spec §4.5 #testing-discipline: verify:mcp-abi
# is release-blocking for packaged builds (same severity class as missing
# signing credentials). Shipping with the wrong ABI in native-cache/
# silently breaks Claude Desktop's setlist integration for every user
# who opens the packaged app, so we refuse to package from a broken state.
- name: Pre-flight ABI check
run: npm run verify:mcp-abi
- name: Package, sign, notarize, and publish
working-directory: packages/app
env:
# GitHub token for electron-updater's publish step.
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Developer ID certificate (base64-encoded .p12) and its password.
CSC_LINK: ${{ secrets.CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
# Apple ID credentials for notarization.
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
# GitHub prerelease marker. electron-builder checks this before
# publish.releaseType, so beta tags become prereleases while stable
# tags remain normal releases.
EP_PRE_RELEASE: ${{ steps.release-channel.outputs.ep_pre_release }}
run: npm run package:mac -- --publish always --config.publish.channel=${{ steps.release-channel.outputs.channel }}
- name: Post-package ABI check
run: npm run verify:mcp-abi